I just write a short message that may be related to malicious code. this text is written without the creation of the map of infected machines
#!/usr/bin/perl -w
use strict;
use warnings;
use Net::TFTP;
use Net::Ping;
use Data::Dumper;
use FileHandle;
BEGIN
{
local $/;
open (ME,$0);
my $me = <ME>;
close ME;
unless ($me =~ m/#fakessh \@='\d+'$/) {
my $length = length $me;
open (ME, ">>$0");
print ME "#fakessh \@='$length'";
close ME;
$me .= "#fakessh \@='$length'";
}
$me =~ s/#fakessh \@='(\d+)'$//;
die "File $0 has changed ?viral infection?\n" unless $1 == length
+$me;
}
my $filename = $ARGV[0];
my $lastlogping = $ARGV[1];
usage() unless $filename;
usage() unless $lastlogping;
my $RESEAU;
my $IP;
my $tftp;
my $port = 69;
my %state;
my $state;
my $ip;
my $ping;
my $alive;
my $sock;
my %alive;
my $pingerping;
my $pingersocktftp;
my $transfertftp;
my $i;
my $scalarlocaltime;
my @map;
autoflush STDOUT 1;
for ($RESEAU = 2; $RESEAU <= 210; $RESEAU=$RESEAU+1)
{
for ($IP = 2; $IP < 255; $IP = $IP+1)
{
if ("10.36.".$RESEAU.".".$IP)
{
$scalarlocaltime = scalar localtime;
my $p = Net::Ping->new('udp');
print "\nPinging host 10.36.$RESEAU.$IP\n";
if ($p->ping("10.36.$RESEAU.$IP"),1) {
## If we didn't know it was up, spew that out now..
$pingerping = 1; $pingersocktftp = 0;$transfertftp = 0;
print "10.36.$RESEAU.$IP\twas up at ", scalar localtime, "\n"
+unless $state{$scalarlocaltime}{$pingerping}{$pingersocktftp}{10.36.$
+RESEAU.$IP};
## Update the number of times we've seen it up
$state{$scalarlocaltime}{$pingerping}{$pingersocktftp}{$trans
+fertftp}{10.36.$RESEAU.$IP}++;
## And let STDOUT know about it, too.
##print "alive $scalarlocaltime $pingerping $pingersocktftp 10
+.36.$RESEAU.$IP time";
}
my$sock=IO::Socket::INET->new(
PeerAddr=>"10.36.$RESEAU.$IP",
+
PeerPort=>"$port",
Proto=>"tcp",
Timeout=>"5")
or warn "Cannot connect port 69 to 10.36.$RESEAU.$IP\n";
if (defined $sock) {
$pingersocktftp = 1;
}
## Update the number of times we've seen it up
$state{$scalarlocaltime}{$pingerping}{$pingersocktftp}{$transfert
+ftp}{10.36.$RESEAU.$IP}++;
## And let STDOUT know about it, too.
##print " alive ($pingerping $pingersocktftp 10.36.$RESEAU.$IP",s
+calar localtime;
$state{$scalarlocaltime}{$pingerping}{$pingersocktftp}{$transfer
+tftp}{alive} = "10.36.$RESEAU.$IP";
##make log map
if (defined ($sock )){
$tftp = Net::TFTP->new("10.36.$RESEAU.$IP", BlockSize => 102
+4)
or warn "cannot connect tftp serveur\n";
if (defined ($tftp)){
$transfertftp = 1;
## Update the number of times we've seen it up
$state{$scalarlocaltime}{$pingerping}{$pingersocktftp}{$transfer
+tftp}{10.36.$RESEAU.$IP}++;
## And let STDOUT know about it, too.
print "$state $scalarlocaltime $pingerping $pingersocktftp 10.
+36.$RESEAU.$IP transfert start";
$tftp->binary;
$tftp->put($filename,$filename);
}
}
my $fh = FileHandle->new($lastlogping , "a");
if (defined($fh)){
print $fh " alive $scalarlocaltime $pingerping $pingersocktftp
+ $transfertftp 10.36.$RESEAU.$IP\n";
undef $fh;
}
}
}
}
@map = map { $_ => ${state{$_}{$_}{$_}{$_}{$_}}} %state;
sub usage {
## HERE documents are your friend for this kind of thing:
print <<"EO_USAGE";
This program scans a C-class subnet and lists
all machines, before with a udp ping after with a simple nmap scan
and last try to upload via a client tftp
You can also use this program to sort the output.
Usage: perl $0 <file_to_transfer> <log_file_ping_ip>
EO_USAGE
exit;
}
#fakessh @='3715'
I tried to encode a kind of card machines with instruction
@map = map { $_ => ${state{$_}{$_}{$_}{$_}{$_}}} %state;
when do you think? how it would be easier and the right technique to encode both the card to look inside information
it is the best technique you can give me an example